accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-2785) ShellServlet vulnerable to CSRF
Date Sat, 24 May 2014 00:32:01 GMT


ASF subversion and git services commented on ACCUMULO-2785:

Commit 5d4cf3b425c291ce1a3133f1637145b51bf276cf in accumulo's branch refs/heads/1.5.2-SNAPSHOT
from [~elserj]
[;h=5d4cf3b ]

ACCUMULO-2785 Create a random string in the session, and provide it in requests to mitigate

> ShellServlet vulnerable to CSRF
> -------------------------------
>                 Key: ACCUMULO-2785
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>          Components: monitor
>    Affects Versions: 1.5.1, 1.6.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.5.2, 1.6.1, 1.7.0
> Noticed that the ShellServlet doesn't include any sort of CSRF token to prevent an attack,
but just uses the state of the session to determine authentication.
> I believe this means that the servlet is potentially vulnerable to a csrf attack. CORS
protects against the majority of this, I haven't been able to come up with a plausible vector
for an actual attack yet, but it would be good to clean up.

This message was sent by Atlassian JIRA

View raw message